[asterisk-bugs] [Asterisk 0017276]: bypass "contactdeny" with nat=yes

Asterisk Bug Tracker noreply at bugs.digium.com
Fri May 7 10:57:18 CDT 2010 

The following issue requires your FEEDBACK. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17276 
====================================================================== 
Reported By:                klaus3000
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   17276
Category:                   Channels/chan_sip/Registration
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     feedback
Asterisk Version:           SVN 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases):  trunk 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2010-05-03 09:56 CDT
Last Modified:              2010-05-07 10:57 CDT
====================================================================== 
Summary:                    bypass "contactdeny" with nat=yes
Description: 
Hi!

chan_sip's "contactdeny" feature screens the "to be registered contact".
In case of nat=yes it should not use the address information from the
Contact header (which is not used at all for routing), but the source IP
address of the request.

Thus, if nat=yes and a client sends a request from a denied IP address
(e.g. by spoofing the src-IP address) it can bypass the screening.
====================================================================== 

---------------------------------------------------------------------- 
 (0121555) lmadsen (administrator) - 2010-05-07 10:57
 https://issues.asterisk.org/view.php?id=17276#c121555 
---------------------------------------------------------------------- 
Ya chan_sip handling is a contentious issue because someone could
potentially be expecting/working around that, and we need to be very
careful about these types of changes and to give it lots of thought on what
it could potentially break.

That's not to say this may not be a fine change, but we should get some
feedback. Thanks! 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-05-07 10:57 lmadsen        Note Added: 0121555                          
2010-05-07 10:57 lmadsen        Status                   new => feedback     
======================================================================

More information about the asterisk-bugs mailing list